Hack the Box Challenge: Chatterbox Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Chatterbox” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of chatterbox is 10.10.10.74 so let’s initiate with nmap port enumeration.

It has shown two ports are open but didn’t disclose running services through them.

Therefore we took help from Google and asked to look for any exploit related to these port as shown in the below image. So it put up two exploits related to Achat. First, we tried Metasploit exploit to compromise victim’s machine and almost successfully seized meterprerter session, but the session was getting died in few seconds.

Thus we choose the manual technique to compromise victim’s machine by using exploit DB 36025.

Exploit 36025 is already stored inside Kali Linux and we have copied it on the Desktop.

According to this python script, it is exploitable to Buffer overflow and highlighted msfvenom code is used to generate payload.

With the help of above script we execute following command to generate payload.

Then copied the generated shellcode.

Now open the original 36025.py which you have saved on the desktop and paste above-copied shellcode here and then enter victim’s IP (10.10.10.74) as Server_address. Now start Netcat for reverse connection before running this script.

nc -lvp 1234

Now run your python script to lunch Buffer overflow attack on victim’s machine.

python 36025.py

BOOooOOMM!! Here we command shell of victim’s machine. Let’s finish this task by grabbing both flags.

Inside C:\Users\Alfred\Desktop we found user.txt flag used type “filename” command for reading this file.

Great!! We got our 1st flag successfully

Inside C:\Users\Administrator\Desktop I found the root.txt file and used type “filename” command for reading this file.

But this file didn’t open due to less permission.

With help of following cacls command, we can observe the permission and can change the file’s permissions where we had granted read operate to User: Alfred for the root.txt file.

Congratulation!!  2nd Task is also completed

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Crimestoppers Walkthrough

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.  Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.80/?op=view and went on the web browser to explore them.

At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time.

If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article. We used curl command to find out the data from inside it with the help of PHP base64-encode.

As result, it returns base64 encode text which we need to decode.

To decode bsae64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.

Syntax: echo BASE64TEXT | base64 -d

After struggling a lot, finally, we successfully uploaded our php backdoor with help burp suite. Follow given step to upload php web shell.

Open php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.

In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.  

Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.

And choose php file to paste it content at the place of shell.

As you can observe that we have successfully uploaded our malicious PHP content here.

Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.

Do not forget to launch netcat for reverse connection before executing your uploaded file.

nc -lvp 1234

Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.

 

Because we love to work with meterpreter session therefore with help of metasploit web_delivary module we generate malicious python code as shown.

Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.

HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.

Inside path: /home/dom I found user.txt file and used cat “filename” command for reading this file.

cd home

ls

cd dom

ls

cat user.txt

Great!! We got our 1st flag successfully

Now we need to find root.txt file to finish this challenge and believe me it was not easy until you won’t the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous one.

After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link: https://github.com/unode/firefox_decrypt for its decryption.

With help of the following command, we successfully found password: Gummer59

We applied this password to escalated user:dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.

First we look into INBOX for any hint for root.txt but didn’t find something related to root.txt flag similarly we open other files but didn’t found anything.

At last, we open Drafts-1 and read the following line which looks like a hint of root access.

“I don’t trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.

So we explore following the path we found the access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.

You can observe the log for a command “FunSociety” which has been executed several times.

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.

Now let’s get the root.txt and finish this task.

BOOOOOM!!!! We hit the Goal and completed both task.J

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Jeeves Walkthrough

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally (Hack the box).

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.

Now, as always let’s begin our hacking with the port enumeration.

Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.

 On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further process.

So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside “Manage Jenkins” options as it was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Console because Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.

Then we start Netcat listener and run above Groovy Script to access victim’s reverse connection. From below image, you can observe that we access tty shell of victim’s machine.

As we love meterpreter shell therefore we load metasploit framework and execute below commands.

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.

Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission

Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users

Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.

COOL!!! We have captured the 1st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.

Hurray!! R flag with dir command discloses root.txt file and  We successfully completed the 2nd task.

2nd Method

When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.

Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.

so we found the master key “moonshine1” for keepass2 which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.

After installing, run the below command and submit “moonshine1” in the field of the master key.

Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.

Note: we have rebooted the target’s VM before starting 2nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim’s machine.

Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.

BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.

 Enjoy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Trollcave VM (Boot to Root)

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Penetrating Methodology

  • Network Scanning (Nmap, netdiscover)
  • Information gathering:
  • Examining  Web Application  framework (Ruby on Rails)
  • Mutable User IDs from 1 to 17 to confirm King’s page for superadmin’s Account
  • Abusing Rails default directory for password reset (Google)
  • Exploiting IDOR  to reset Password for King’s Account
  • Login into superadmin console (King’s account)
  • Explore file manger tab  and enable uploading option
  • Generate SSH RSA key without password
  • Upload RSA key
  • Pwn tty shell by ssh login
  • Kernel privilege escalation (searchsploit)
  • Encode exploit with base 64
  • Transfer in victim’s machine and decode it.
  • Run the kernel exploit and Gain root access
  • Capture the flag and Finished the challenge

Let’s Breach!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new  and obtained password reset form.  Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.  

 

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

 

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

 Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keys and add ../../../../../../home/rails/.ssh/authorized_keys path manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

Awesome!! From below image, you can observe the target machine’s tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

BINGO!!!! We got the root flag!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...